Information management system

ABSTRACT

Provided is an information management system capable of reliably protecting personal data while ensuring the usefulness of the information when data containing personal data are processed. In an information management system ( 1 ), processing-object data containing personal data are acquired by an information management apparatus ( 2 ), the personal data are extracted from the processing-object data, and the extracted personal data are processed by means of a one-way function to generate a unique code. The personal data contained in the processing-object data are replaced with the unique code to generate primary conversion data, the primary conversion data are transmitted from the information management apparatus ( 2 ) to an information center apparatus ( 4 ), and they are stored in a data base ( 5 ) and used for statistical processing.

TECHNICAL FIELD

The present invention relates to an information management system formanaging information containing personal data.

BACKGROUND ART

With the development of computerization, a large volume of computerizedinformation has come to be handled in governmental departments, privateenterprises, public entities, and the like. Computerized information canbe easily processed in the form of accumulation, retrieval, copying,etc., and further, they can be subjected to advanced data processingsuch as detailed analysis, so that it is highly useful.

Meanwhile, not a few of the above computerized data contain personaldata such as individual names, birth dates, addresses, telephonenumbers, sexes, family structures, and the like. It is imperative tohandle personal data carefully for preventing them from being misusedand preventing the infringement of privacy, and it is required to keepthem secret as required.

For example, when data of individual attributes are statisticallyprocessed, it is inevitable to collect a large volume of informationcontaining personal data, so that a large amount of labor is spent forimplementing stringent information management. Studies have been made invarious ways for a method of effectively and reliably protectingpersonal data.

For example, there has been a method in which character strings denotingpersonal data are all replaced with senseless characters or symbols. Inthis method, however, personal data are completely lost, so that thereis caused a problem that it is no longer possible to distinguish aplurality of data relating to one person from a plurality of datarelating to a plurality of persons. This problem could lead to adisadvantage that the number of parent populations comes to be ambiguousin statistical procedures, so that the accuracy of analysis is degraded.

There has been therefore available a method in which only part of acharacter string denoting personal data is manipulated by simpleprocedures such as sorting of characters or substitution of othercharacters. In this method, personal data partly retain a state that thepart has had in the beginning, so that it is at least possible todiscriminate information relating to one and the same person andinformation relating to other persons by referring to a plurality ofmanipulated personal data. In this method, however, regularity can befound when the manipulated personal data are analyzed, so that it can bepossibly revealed what manipulations have been applied thereto. Wheninformation data that are to be strictly managed such as information onpersonal health conditions, assets, etc., are handled, the above methodcannot be employed due to concerns for security.

When manipulation is applied to personal data as an object to beprocessed for keeping personal data secret, there has been involved aproblem that the usefulness of data is impaired when the manipulation iscomplicated, or that personal data cannot be reliably protected when themanipulation is simple.

Under the circumstances, there has been hence employed a method in whichinformation containing personal data is encrypted using a password. Inthis method, however, it is required to take control of the password sothat it may not be lost or revealed, and there has been thereforeinvolved a problem that the management burden is heavy. Further, in themethod in which a large volume of data are encrypted for storage anddecrypted for use, the encryption and decryption are time-consuming, sothat there has been a problem the efficiency of information processingis decreased.

DISCLOSURE OF THE INVENTION

It is an object of the present invention to provide an informationmanagement system that is capable of reliably protecting personal datawithout impairing the usefulness of the information in the processing ofthe information containing personal data.

For achieving the above object, the first subject matter of the presentinvention is directed to an information management apparatus forprocessing data containing personal data,

which comprises personal data extraction means for extracting personaldata from processing-object data,

unique code generation means for performing a one-way-function-appliedoperation on the basis of personal data extracted by said personal dataextraction means, to generate a unique code, and

primary conversion data generation means for replacing personal data ofsaid processing-object data with said unique code, to generate primaryconversion data.

The second subject matter of the present invention is an informationmanagement apparatus as recited in the first subject matter, whichfurther comprises storage means for storing said primary conversion dataand said processing-object data in a state in which these datacorrespond to each other.

The third subject matter of the present invention is an informationmanagement apparatus as recited in the first subject matter, whereinsaid unique code generation means is comprised of a reference characterstring generation means for generating a reference character string frompersonal data extracted by said personal data extraction means, andoperation means for operating a predetermined operation-object characterstring by means of said one-way function using said reference characterstring as a key, to generate said unique code.

The fourth subject matter of the present invention is an informationmanagement apparatus as recited in the third subject matter, whereinsaid operation means is comprised of digit number determination meansfor determining an operation digit number on the basis of said referencecharacter string, operation-object character string generation means forgenerating an operation-object character string having said operationdigit number and operation implementation means for operating saidoperation-object character string by means of said one-way functionusing said reference character string as a key.

The fifth subject matter of the present invention is directed to aninformation management apparatus as recited in the first subject matter,which further comprises a secondary conversion data generation means forencrypting said primary conversion data to generate secondary conversiondata, output means for outputting said secondary conversion data toother apparatus, and storage means for storing said secondary conversiondata, said primary conversion data on which said secondary conversiondata are based, said processing-object data on which said primaryconversion data are based and records of output by said output means ina state in which these data and record correspond to one another whensaid secondary conversion data is outputted by said output means.

The sixth subject matter of the present invention is an informationmanagement system which comprises an information management apparatusfor processing data containing personal data and an information centerapparatus for managing data processed with said information managementapparatus, the information management apparatus and the informationcenter apparatus being connected to each other through a communicationline, said information management apparatus comprising personal dataextraction means for extracting personal data from processing-objectdata, unique code generation means for performing an operation usingone-way function on the basis of personal data extracted with saidpersonal data extraction means and thereby generating a unique code,primary conversion data generation means for replacing the personal dataof said processing-object data with said unique code and therebygenerating primary conversion data, secondary conversion data generationmeans for encrypting said primary conversion data and thereby generatingsecondary conversion data, output means for outputting said secondaryconversion data to said information management apparatus through saidcommunication line, and storage means for storing, when said secondaryconversion data are outputted with said output means, said secondaryconversion data outputted, said primary conversion data as an originalof said secondary conversion data, said processing-object data as anoriginal of said primary conversion data and records of the output madeby said output means, in a state in which they correspond to oneanother, said information center apparatus comprising receiving meansfor receiving secondary conversion data transmitted from saidinformation management apparatus and decryption means for decryptingsecondary conversion data received with said receiving means and therebygenerating said primary conversion data.

The seventh subject matter of the present invention is an informationmanagement system as recited in the sixth subject matter, wherein saidinformation center apparatus further comprises data storage means forstoring primary conversion data generated with said decryption means andprocesses data stored in said data storage means with using said uniquecode as a key.

The eighth subject matter of the present invention is an informationmanagement system as recited in the seventh subject matter, wherein saidinformation center apparatus detects data containing the same uniquecode from a plurality of data containing said unique codes stored insaid data storage means.

The ninth subject matter of the present invention is a program forcausing an information management computer for processing datacontaining personal data to execute processing comprising the steps ofextracting personal data from processing-object data with personal dataextraction means, implementing an operation using a one-way function onthe basis of the personal data extracted with said personal dataextraction means by means of unique code generation means to generate aunique code, and replacing personal data of said processing-object datawith said unique code by means of primary conversion data generationmeans to generate primary conversion data.

The tenth subject matter of the present invention is a program asrecited in the nine subject matter, which is for causing the informationmanagement computer to execute the processing which further comprisesthe step of storing said primary conversion data and saidprocessing-object data as an origin of said primary conversion data instorage means in a state in which they correspond to each other.

The eleventh subject matter of the present invention is a program asrecited in the ninth subject matter, wherein the step of generating theunique code with said unique code generation means comprises the stepsof generating a reference character string from personal data, which areextracted with said personal data extraction means, with a referencecharacter string generation means, and operating a predeterminedoperation-object character string with said one-way function using saidreference character string as a key to generate said unique code.

The twelfth subject matter of the present invention is a program asrecited in the eleventh subject matter, wherein the step of generatingsaid unique code with said operation means comprises the steps ofdetermining an operation digit number on the basis of said referencecharacter string with digit number determination means, generating anoperation-object character string having said operation digit numberwith operation-object character string generation means, and operatingsaid operation-object character string on the basis of said one-wayfunction with an operation implementation means using said referencecharacter string as a key.

The thirteenth subject matter of the present invention is a program asrecited in the ninth subject matter, which is for causing theinformation management computer to execute the processing which furthercomprises the steps of encrypting said primary conversion data withsecondary conversion data generation means to generate secondaryconversion data, outputting said secondary conversion data to otherapparatus with output means, and causing storage means, when saidsecondary conversion data are outputted with said output means, to storesaid secondary conversion data outputted, said primary conversion dataas an origin of said secondary conversion data, said processing-objectdata as an origin of said primary conversion data and records of theoutput by said output means, in a state in which they correspond to oneanother.

BRIEF DESCRIPTION OF DRAWINGS

FIG. 1 is a diagram showing the concept of processing in an embodimentof the present invention.

FIG. 2 is a diagram showing the constitution of an informationmanagement system in the embodiment of the present invention.

FIG. 3 is a block diagram showing a functional constitution of aninformation management apparatus shown in FIG. 2.

FIG. 4 is a diagram showing a constitution of a Rezept data to beprocessed in the embodiment of the present invention. In thedescription, “Rezept” means a statement of medical treatment fees paidto a medical institution under the medical insurance system.

FIG. 5 is a flow diagram showing the operation of the informationmanagement system shown in FIG. 2.

FIG. 6 is a flow diagram showing details of unique code generationprocessing in the embodiment of the present invention.

FIG. 7 is a diagram showing a specific example for explaining the uniquecode generation processing in the embodiment of the present invention.

FIG. 8 is a diagram showing another specific example for explaining theunique code generation processing in the embodiment of the presentinvention.

FIG. 9 is a flow diagram showing details of the processing oftransmitting and receiving data in the embodiment of the presentinvention.

FIG. 10 is a diagram showing an example of a database in which datacontaining personal data are stored.

FIG. 11 is a diagram showing an example of a database in which datacontaining unique codes are stored.

PREFERRED EMBODIMENTS OF THE INVENTION

FIG. 1 is a diagram showing an underlying concept of embodiments of thepresent invention. The present invention addresses informationcontaining personal data as a processing object.

The personal data referred to herein include data which permitsidentification of a person by itself or in combination with otherinformation and data that can be used or revealed only when consent isgiven or that is said to be desirably kept secret, such as a personalhistory (an educational background, a job history and other informationshowing a history of activities), information showing personalattributes in various organizations, and the like. Specific examples ofthe personal data are a name, a birth date, a sex, an address, a contactaddress (a telephone number, a facsimile telephone number, an e-mailaddress, etc.), data relating to social security or taxes (a socialsecurity number, a taxpayer identification number, etc.), data relatingto an occupation (a name and address of place of employment, a contactaddress, a position, responsibilities, etc.), data relating toeducational institutions in which a person is, or used to be, enrolled(the name, address and contact address of an educational institution, ayear of registration or graduation in/from a school, a student IDnumber, etc.), data showing personal purchase history (a history ofcommodity purchase, a policy number of life insurance or damageinsurance in which a person takes out a policy, etc.), personal creditdata such as a credit card number, an account number in a bankinginstitution, and the like.

Basic data 101 shown in FIG. 1 contain personal data 102 in a statewhere they are identifiable by a third party. In this embodiment, aunique code 104 is generated on the basis of the personal data 102, andthe personal data 102 are replaced with the unique code 104 to generateprimary conversion data 103. That is, the primary conversion data 103are the same as the basic data 101 except that the personal data 102 ofthe basis data 101 are replaced with the unique code 104.

In this embodiment, further, when the primary conversion data 103 areoutputted to other devices, that is, when the primary conversion data103 are transmitted or received through a communication line ortransported via a recording medium in which they are recorded, there areused secondary conversion data 105 generated by encrypting the entireprimary conversion data 103 with a predetermined password. When a devicereceives the secondary conversion data 105, the device decrypts thesecondary conversion data 105 with the above password, whereby theprimary conversion data 103 can be obtained.

Preferred embodiments of the present invention will be specificallyexplained in detail below with reference to FIGS. 2 to 11.

FIG. 2 is a diagram showing a constitution of an information managementsystem according to an embodiment of the present invention. Aninformation management system 1 shown in FIG. 2 comprises an informationmanagement apparatus 2 and an information center apparatus 4 connectedto the information management apparatus 2 through a network 3. WhileFIG. 2 shows two information management apparatuses 2, it is sufficientto provide at least one information management apparatus 2.

The network 3 includes various communication lines such as a dedicatedline, a public telephone line, a satellite communication channel, andthe like. The network 3 may be an open network like the Internet or maybe a closed network which limited apparatus alone can access. Specificembodiments (type of a line, a bandwidth, a network topology andprotocol to be used) of the network 3 shall not be specially limited,and the network 3 may have an embodiment including various serverapparatuses, fire wall apparatuses, gateway apparatuses, and the like.

The information management apparatus 2 and the information centerapparatus 4 transmit and receive various data, control data, etc.,to/from each other through the network 3.

The information center apparatus 4 receives information transmitted fromthe information management apparatus 2, and when the receivedinformation is encrypted information, the information center apparatus 4decrypts the information. Further, the information center apparatus 4has a database 5 and causes the database 5 to record the decryptedinformation, and it also retrieves information recorded in the database5 to execute processes such as selection, projection and joining.

FIG. 3 is a block diagram showing a functional constitution of theinformation management apparatus 2. As shown in FIG. 3, the informationmanagement apparatus 2 has CPU (Central Processing Unit) 21, RAM (RandomAccess Memory) 22, a storage device 23, a recording medium reader 24, aninput device 25, a display device 26 and a communication control device27, and each unit is connected to a bus 28.

CPU 21 reads out and executes a computer program stored in the storagedevice 23 on the basis of an instruction inputted by a user with theinput device 25 to perform processing shown in FIG. 5. That is, CPU 21reads out information recorded in a recording medium with the recordingmedium reader 24 and acquires basic data to generate primary conversiondata on the basis of the basic data. Further, CPU 21 encrypts theprimary conversion data to generate secondary conversion data andtransmits the secondary conversion data to the information centerapparatus 4 through the network 3.

RAM 22 tentatively stores computer programs to be executed by CPU 21 anddata to be processed during the execution of the computer programs.

The storage device 23 stores the computer programs to be executed by CPU21 and data to be processed during the execution of the computerprograms in a state in which they are readable by CPU 21. The storagedevice 23 outputs a requested computer program, data, etc., to CPU 21according to a read request from CPU 21. Further, the storage device 23stores data according to a write request from CPU 21.

The recording medium reader 24 is a device for reading out informationrecorded in a portable recording medium such as a magnetic or opticalrecording medium, a recording medium integrated with a semiconductormemory device, or the like, according to the control by CPU 21.

The input device 25 includes a pointing device such as a mouse, a pentablet, a touch panel, a digitizer, or the like and an input device suchas a keyboard, or the like, and generates an actuating signal accordingto the operation of the input device to output it to CPU 21.

The display device 26 has a display screen such as CRT (Cathode RayTube), LCD (Liquid Crystal Display), or the like, and displays aninstruction inputted by the input device 25, a result of processingexecuted by CPU 21, or the like, on the display screen.

The communication control device 27 is connected to the network 3 andtransmits/receives various data through the network 3.

FIG. 4 is a diagram showing a constitution of “Rezept” data as an objectto be processed in this embodiment. FIG. 4(a) shows a constitution ofthe entire Rezept data, and FIG. 4(b) shows a constitution of a portionthat particularly contains personal data. While the informationmanagement system 1 can process various data, this embodiment willexplain the case of processing Rezept data as an example of datacontaining personal data.

The “Rezept” officially refers to a statement of medical treatment feesthat a medical institution prepares and submits to an insurer forreceiving medical treatment fees under the health insurance system inJapan. The Rezept has records of various data such as personal data of apatient, data relating to a medical institution where the patent hasbeen medically treated, data showing medical treatment contents, datarelating to medical treatment fee amounts, and the like.

Generally, medical treatment fees using the Rezept are billed everymonth, so that a medical institution uses one Rezept for billing aninsurer for medical treatment fees for the medical treatments that havebeen provided for one patient in one month. When one patient ismedically treated in a plurality of medical institutions, the pluralityof medical institution prepare and submit Rezept, respectively. For onepatient, therefore, a plurality of Rezepts may be submitted per month.

In some medical institutions where data of medical treatments areprocessed by computerization, there are prepared Rezept data that arefinalized data to be recorded in Rezepts, and Rezepts are prepared byprinting Rezept data in a specified format.

A Rezept data is constituted, for example, as shown in FIG. 4(a).Incidentally, FIG. 4(a) is at least a diagram showing an example, andnot all of Rezepts are constituted as shown in FIG. 4(a).

Rezept data 6 is data in which various pieces of information to berecorded in the Rezept are described in a CSV (Comma Separated Value)format. The Rezept data 6 comprises a medical institution record 61, aRezept common record 62, an insurer record 63, an elderly record 64, apublic expenditure record 65, an injury or disease name record 66 andremarks information 67.

The medical institution record 61 is constituted of up to 62-byte datacontaining information on a medical institution which has provided apatient with medical treatment, that is, information on a medicalinstitution which prepares a Rezept and other information. Specifically,the medical institution record 61 contains information showing anautonomous body to which the location of the medical institutionbelongs, a code provided to the medical institution, the name of themedical institution, a course of medical treatment, date of billingmedical treatment fees, and the like.

The Rezept common record 62 is constituted of up to 122-byte data mainlycontaining information on a patient. Specifically, the Rezept commonrecord 62 contains date(s) on which a patient has received medicaltreatment, the name, birth date and sex of the patient, the proportionof medical treatment fee which the patient is to pay individually, thenumber of the patient's file, and the like. When the patient ishospitalized, it also contains information such as the date of thehospitalization, a type of a hospital ward, the number of beds, and thelike.

The insurer record 63 is constituted of up to 138-byte data containinginformation on an insurer to which medical treatment fee is billed, thehealth insurance certificate number of the patient, information on amedical treatment fee amount and a breakdown thereof, and the like.

The elderly record 64 contains various pieces of information forreceiving a medical treatment fee from an autonomous body under thesystem of medical care for senior citizens and is constituted of up to143-byte data.

The public expenditure record 65 contains various pieces of informationnecessary for the patient to receive special public financial assistanceto a medical treatment fee and is constituted of up to 63-byte data.

The injury or disease name record 66 is constituted of up to 139-bytedata containing information on the injury or disease of the patient.

The remarks information 67 is constituted of up to 241-byte datacontaining a medical treatment record (up to 32 bytes) containingcontents of medical treatment that the medical institution has providedfor the patient, a medicament record (up to 33 bytes) containinginformation on medicaments used, a special-apparatus record (up to 86bytes) containing information on an apparatus used, and a comment record(up to 90 bytes) containing information such as comments, etc., asadditional information on contents of the medical treatment.

As shown in FIG. 4(b), the Rezept common record 62 contains a name 621(up to 40 bytes), a birth date 622 (7 bytes) and a sex code 623 (1 byte)which constitute personal data of a patient. The sex code refers to acode that is determined beforehand as a code for expressing a sex. Inthis embodiment, a male is expressed by “1”, and a female is expressedby “2”.

The operation of the information management system 1 will be explainedbelow.

FIG. 5 is a flow diagram showing the operation of the informationmanagement system shown in FIG. 2. Particularly, FIG. 5(a) shows theoperation of the information management apparatus 2, and FIG. 5(b) showsthe operation of the information center apparatus 4.

In step S11 (FIG. 5(a)), the recording medium reader 24 reads outinformation from a recording medium, so that the information managementapparatus 2 acquires basic data (Rezept data) as a processing object.

In step S12, the information management apparatus 2 detects personaldata in the basic data. In step S13, then, the information managementapparatus 2 executes processing to generate a unique code on the basisof the personal data detected in step S12.

The unique code generation processing in step S13 will be explainedlater with reference to FIG. 6.

After generation of the unique code, the information managementapparatus 2 in step S14 reproduces basic data and replaces the personaldata in the reproduced basic data with the unique code to generateprimary conversion data. In step S15, the information managementapparatus 2 causes the storage device 23 to store the primary conversiondata generated in step S14 together with the basic data, and proceeds tostep S16 to receive an instruction to be inputted from the input device25.

In step S16, when an instruction to transmit data to the informationcenter apparatus 4 is inputted from the input device 25, the informationmanagement apparatus 2 proceeds to step S17 and executes processing totransmit data to the information center apparatus 4. The processing oftransmitting/receiving data in step S17 will be explained later withreference to FIG. 9(a).

After the processing of transmitting/receiving data in step S17, theinformation management apparatus 2 ends the operation.

Further, when no instruction is inputted from the input device 25, theinformation management apparatus 2 proceeds back to step S11.

Upon the start of the processing of transmitting/receiving data by theinformation management apparatus 2 in step S17, the information centerapparatus 4 proceeds to step S21 (FIG. 5(b)) to execute the processingof transmitting/receiving data. The processing of transmitting/receivingdata in step S21 will be explained later with reference to FIG. 9(b).

After the processing of transmitting/receiving data, the informationcenter apparatus 4 proceeds to step S22 and executes the processing ofoperating the database by means of the unique code as a key with regardto information received in step S21.

FIG. 6 is a flow diagram that more fully shows the processing ofgenerating the unique code shown in step S13 in FIG. 5(a).

In step S31, the information management apparatus 2 extracts personaldata from the basic data. In step S32, the information managementapparatus 2 removes half size spaces and full size spaces from theextracted personal data and prepares a reference character string.

In subsequent step S33, the information management apparatus 2 acquirescharacter codes with respect to all of characters constituting thereference character string. In step S33, there can be used variouscharacter code sets such as character code sets of ASCII code, Unicode,JIS code, shift JIS code, and the like.

In step S34, the information management apparatus 2 calculates a totalof character codes of all of characters constituting the referencecharacter string. In subsequent step S35, the information managementapparatus 2 divides the sum total of the character codes determined instep S34 by the numeric “32”, to determine a quotient and a remainder.The information management apparatus 2 proceeds to step S36 and adds 100to the determined remainder to obtain an operation digit number.

By the processing through the above steps S33 to S36, the operationdigit number is determined to be one of 100 to 131. The range of thosevalues which the operation digit number can have is determined dependingupon a divisor (division) used in step S35. When the divisor (division)is, for example, 50, the operation digit number is determined in therange of 100 to 149. When the divisor (division) is 10, the operationdigit number is determined in the range of 100 to 109. That is, when thedivisor (division) is an integer n, the operation digit number isdetermined in the range of 100 to {100+(n-1)}. This embodiment uses 32as only an example of the divisor (division).

Then, the information management apparatus 2 proceeds to step S37, andit generates a character string having the same digit number as that ofthe operation digit number and performs NULL clear, whereby there isgenerated a character string which has the same digit number as that ofthe operation digit number and in which all the digits are “0 (zero)”.The character string generated in this step S37 is used as anoperation-object character string.

In step S38, the information management apparatus 2 performs anoperation on the operation-object character string on the basis of theone-way hash function by means of the reference character string as akey. After completion of the operation in step S38, the informationmanagement apparatus 2 proceeds to step S39, binary-dumps the operationresult to generate a character string. The generated character stringbecomes a unique code. It is because the result of the operation usingthe hash function may contain a control code that the binary dump isperformed in step S39.

In the unique code generation processing shown in FIG. 6, the operationdigit number is determined on the basis of character code of thereference character string obtained by removing spaces from the personaldata, so that when the reference character string differs even by onecharacter, the operation digit number differs. Generally, it has beenmade clear that in an operation using the hash function, an operationresult is greatly affected by a change in an initial value. When theoperation digit number differs even slightly, therefore, the operationresult comes to be extremely different. Further, in the unique codegeneration processing shown in FIG. 6, the operation is performed bymeans of the reference character string as a key, so that the referencecharacter string differs even by one character, the operation result iscaused to have a far greater difference.

For example, when a unique code is generated on the basis of a name, abirth date and a sex, and if data of one of the name, birth date and sexdiffer by one character, an entirely different unique code is generated.Therefore, the probability of generating an identical unique code frompersonal data of a plurality of different persons is almost zero andnegligible.

Further, one looks at the thus-generated unique code itself as ameaningless character string, so that it is not possible to discover anyregularity even when a number of unique codes are analyzed. It is hencesubstantially impossible to obtain personal data by operating the uniquecode. Nor is it possible to determine whether the unique code isgenerated by using a name alone as a reference character string orwhether it is generated from a reference character string containing aname and a birth date.

As described above, while the unique code is generated on the basis ofpersonal data, there is no means of getting at personal data from theunique code itself, so that there is no possibility of personal databeing revealed so long as the primary conversion data are simply used.

In the processing shown in FIG. 6, further, the unique code is generatedafter spaces are removed from the personal data, so that a difference ina descriptive method such as a method of using a space, etc., can bealso addressed. In step S32 in FIG. 6, full size and half size spacesare removed. For example, when capital letters and small letters of thealphabet are included in the personal data, however, there may beperformed the processing of converting all alphabetical letters to smallletters.

Further, a plurality of unique codes can be intentionally generated fromthe personal data of one and the same person. That is, a unique codegenerated using a name and birth date as a reference character stringand a unique code generated using a name, birth date and sex as areference character string come to differ from each other. Therefore,when the correspondence relationship between personal data and theunique code generated on the basis of the personal data was revealedwith regard to a particular person, the content of the referencecharacter string would be changed to generate another unique code, sothat it would be hence possible to prevent the personal data from beingfurther revealed. Further, when different unique codes are generated asrequired depending upon the morphology of the basic data or the way ofuse of the unique codes, the processing rate of unique code generationprocessing can be increased, or the complexity of the unique code(s) canbe further increased, so that the unique codes can be efficiently used.

FIG. 7 is a diagram showing a specific example for explaining the uniquecode generation processing shown in FIG. 6. In the example in FIG. 7, aunique code is generated from personal data of a male named YAMADA Tarohaving a birth date of May 15, 1970.

The personal data that the information management apparatus 2 extractsconsists of a name “YAMADA Taro”, the birth date of “19700515” and a sexcode of “1”. The information management apparatus 2 removes full sizeand half size spaces, to prepare the reference character string of“YAMADATaro197005151”. The reference character string contains theJapanese-language person's name having four “kanji” (Chinese-origin)character letters, so that the information management apparatus 2acquires character codes from a Japanese-language kanji character codeset such as the shift JIS character code set, or the like. In theJapanese character code set, kanji characters are handled as a 2-byteletter each, so that a 2-byte character code is obtained from each ofthe four kanji characters. Further, in the above character code set forthe Japanese language, a half size figure is handled as a 1-byte letter,so that a 1-byte character code is obtained from each of the nineletters of “197005151”. Accordingly, 17-byte character codes areobtained from the reference character string of “YAMADATaro197005151”.

Then, the information management apparatus 2 sums up the character codesof the reference character string. As shown in FIG. 7, the informationmanagement apparatus 2 performs the operation of“8E+52+93+63+91+BE+98+59+31+39+37+30+30+35+31+35+31=5E3 (hexadecimalnotation)” to determine a sum total “5E3” of the character codes. “5E3”represents “1507” when depicted by decimal notation. Then, theinformation management apparatus 2 divides the sum total “1507” of thecharacter codes by “32”, to determine a quotient of “47” and a residualof “3”. The operation digit number is determined to be 103 digits byadding “100” to the residual of “3”. Then, the information managementapparatus 2 generates a 103-digit operation-object character string ofwhich all the digits are constituted of “0 (zero)”, and performs theoperation based on the hash function using the reference characterstring of “YAMADATaro197005151”. The operation result is binary-dumpedto generate, for example, a unique code of“69654665019b733fe725353a5884fd94469d85e857820ad6742c3fc1b1b2e1ec3ee38c2e63b541c7b11f0781cda5a82838b0d5e5b32ecefffeec6bd484356b69c97498dbdf54e706719ecc7d90db8254762b4437b429fb61843c009b1b9f5ec3d7b6085b5548b1”. It should benoted that this unique code is obtained by partly modifying the uniquecode actually obtained on the basis of the above reference characterstring, in consideration of security.

FIG. 8 is a diagram showing another specific example for explaining theunique code generation processing shown in FIG. 6. In the example shownin FIG. 8, a unique code is generated from personal data of a womannamed Nancy Lopez having a birth date of Feb. 26, 1970.

The personal data extracted by the information management apparatus 2includes a name “Nancy Lopez”, the birth date of “19700226” and a sexcode of “2”. The information management apparatus 2 removes half sizeand full size spaces, to prepare a reference character string of“NancyLopez197002262”. In the various character code sets, half sizealphabetic characters and figures are handled as a 1-byte charactereach, so that 19-byte character codes are obtained from the referencecharacter string of “NancyLopez197002262”.

Then, the information management apparatus 2 sums up the character codesof the reference character string. As shown in FIG. 8, the informationmanagement apparatus 2 performs the operation of“4E+61+6E+63+79+52+6F+70+65+7A+31+39+37+30+30+32+32+36+32 =5DB(hexadecimal notation)” to determine a sum total “5DB” of the charactercodes. “5DB” represents “1499” when depicted by decimal notation. Then,the information management apparatus 2 divides the sum total “1499” ofthe character codes by “32”, to determine a quotient of “46” and aresidual of “27”. The operation digit number is determined to be 127digits by adding “100” to the residual of “27”. Then, the informationmanagement apparatus 2 generates a 127-digit operation-object characterstring of which all the digits are constituted of “0 (zero)”, andperforms the operation based on the hash function using the referencecharacter string of “NancyLopez197002262” as a key. The operation resultis binary-dumped to generate, for example, a unique code of“56b03813bad4c752a5c13247a0bc194ca607caf2e295646a061027d09c00d9ec9767f6e825c521647b16a19df9ee6041ae400b7fa1026c93491d1d577a815129626493b6e9da791e85203fd00018e6022a0215afb571b67fffd47d3e687dad79252ad98012bdd73d476edc0639a73cd9ca2a7f3c831e065bdd”. It should be noted that this unique code is obtainedby partly modifying the unique code actually obtained on the basis ofthe above reference character string, in consideration of security.

FIG. 9 is a flow diagram showing more details of the processing oftransmitting/receiving data in the embodiment of the present invention.FIG. 9(a) shows the processing that the information management apparatus2 performs in step S17 in FIG. 5(a), and FIG. 9(b) shows the processingthat the information center apparatus 4 performs in step S21 in FIG.5(b).

In the processing of transmitting/receiving data shown in FIG. 9,public-key exchange according to the DH (Diffie-Hellman) technology isimplemented, and primary conversion data are transmitted and received.

In step S41 (FIG. 9(a)), the information management apparatus 2 uses,for example, a random number to generate a private key PR1. In step S42,the information management apparatus 2 uses a predetermined operationalexpression to generate a public key PU1 from the private key PR1. Instep S43, the information management apparatus 2 transmits the publickey PU1 to the information center apparatus 4, and receives a public keyPU2 from the information center apparatus 4, through the network 3.

On the other hand, in step S51 (FIG. 9(b)), the information centerapparatus 4 generates a private key PR2 using a random number forexample, and in step S52, the information center apparatus 4 uses apredetermined operational expression to generate a public key PU2 fromthe private key PR2. In step S53, the information center apparatus 4transmits the public key PU2 to the information management apparatus 2,and receives the public key PU1 from the information managementapparatus 2, through the net work 3.

After the processing in the above steps S41 to S43 and the above stepsS51 to S53, each of the information management apparatus 2 and theinformation center apparatus 4 has the private key that it has generatedby itself and the public key that the other has generated. Theprocessing shown in FIG. 5 may be implemented after completion of theprocessing in the above steps S41 to S43 and the above steps S51 to S53between the information management apparatus 2 and the informationcenter apparatus 4. That is, there may be employed a constitutionwherein each of the information management apparatus 2 and theinformation center apparatus 4 has the private key that it has generatedby itself and the public key that the other has generated prior to theimplementation of the processing in FIG. 5. In this case, the public keyPU1 and the public key PU2 may be transmitted/received through thenetwork 3, or they may be inputted to the information managementapparatus 2 and the information center apparatus 4, respectively, bymeans of input from the input device 25, or the like or from a portablerecording medium.

In step S44 (FIG. 9(a)), the information management apparatus 2generates a common key CK on the basis of the private key PR1 that ithas generated by itself and the public key PU2 received from theinformation center apparatus 4.

In step S45, the information management apparatus 2 generates a sessionkey SK. In the subsequent step S46, the information management apparatus2 encrypts primary conversion data by means of the session key SKthereby to generate secondary conversion data.

Further, the information management apparatus 2 proceeds to step S47 andencrypts the session key SK by means of the common key CK, and in stepS48, the information management apparatus 2 adds the encrypted sessionkey SK to the secondary conversion data and transmits them to theinformation center apparatus 4.

Then, in step S49, the information management apparatus 2 prepares atransmission log showing the result of transmission to the informationcenter apparatus 4, stores the secondary conversion data and thetransmission log in the storage device 23 in a state in which they arecorrelated with the basic data and the primary conversion data stored inthe storage device 23, and ends the processing.

On the other hand, in step S55 (FIG. 9(b)), the information centerapparatus 4 receives the encrypted session key SK and the secondaryconversion data. In the subsequent step S56, the information centerapparatus 4 decrypts the received session key SK by means of the commonkey CK generated in step S54, and in step S57, it decrypts the secondaryconversion data by means of the decrypted session key SK, to obtain theprimary conversion data.

In step S58, the information center apparatus 4 registers the primaryconversion data obtained in step S57 in the database 5 and ends theprocessing.

FIG. 10 is a diagram showing an example of a database in which dataincluding personal data are stored. The database shown in FIG. 10 is forstoring a record including item data of a name, birth date and sex codeof a person, a name of a medical institution, an injury or disease name,the number of days for medical treatment and contents of medicaltreatment, and it has a plurality of records stored therein with regardto a plurality of persons.

When data containing personal data are stored in a database as describedabove, database manipulations such as selection, projection,combination, etc., are performed using personal data as a key, and datacan be extracted for respective persons. In a database having personaldata stored therein, however, it is required to take measures forprotecting personal data.

FIG. 11 shows an example of records to be stored in the database shownin FIG. 10, in which personal data is replaced with primary conversiondata containing unique codes.

In the database shown in FIG. 11, a plurality of records containingunique codes is stored. The database shown in FIG. 11 contains nopersonal data, so that it is not required to take any special measuresfor protecting personal data.

In the database shown in FIG. 11, further, data can be manipulated foreach person by means of the unique code as a key. For example, as shownin FIG. 11, the manipulation for selection is carried out by means of aunique code of “548b1695d8e9a2b6085b5” as a key, two records such as No.1 and No. 4 records are extracted. It is seen that the extracted tworecords relate to one and the same person since the unique codes are thesame as each other. Even when the database shown in FIG. 10 is replacedwith the database shown in FIG. 11, therefore, the easiness in retrievalof information is not impaired.

In this embodiment, there are used the primary conversion data in whichpersonal data is replaced with the unique code as described above, sothat the personal data can be reliably protected without impairing theusefulness of the information.

As described above, according to the information management system 1 inthis embodiment, processing-object data containing personal data are notdirectly stored in a database. Instead thereof, a unique code isgenerated from personal data of a processing-object data (basic data),there are generated primary conversion data in which the personal datais replaced with a unique code, and the primary conversion data arestored in the database 5 and used for statistical processing. The uniquecode is generated from a reference character string obtained by removingspaces from personal data, by an operation using a one-way hashfunction, so that it is almost impossible to obtain the originalpersonal data by a reverse operation. In the process of processing theprimary conversion data, therefore, there is no apprehension of personaldata being revealed.

Further, due to a characteristic feature that the operation result ofthe one-way hash function is extremely influenced by a change in aninitial value, there are generated unique codes that can be said to benecessarily unlike and remarkably different when basic character stringsdiffer from one another, that is, different personal data are used. Thatis, the possibility of identical unique codes being generated frompersonal data of different persons is very low and negligible, and theusefulness of primary conversion data can be maintained at a high level.Further, since the unique code is generated by determining an operationdigit number on the basis of a basic character string and operating anoperation-object character string having the above operation digitnumber by means of the basic character string as a key, remarkablydifferent unique codes are generated when basic character strings differfrom one another, so that the possibility of identical unique codesbeing generated from different personal data is further decreased andthat the usefulness of primary conversion data can be maintained at afar higher level.

Like personal data, therefore, the unique code comes to have a uniquevalue for each individual person, so that it can be used for retrievaland extraction of a number of data containing unique codes for eachindividual person. The primary conversion data containing unique codesin place of personal data are as useful as data containing personal dataas described above, so that they can be used for statistical processing.When data containing personal data are processed, the use of the aboveprimary conversion data can reliably keep the personal data secret andprotect them without impairing the usefulness of the information. In theinformation management system 1, the information management apparatus 2can efficiently generate primary conversion data from basic data.

Further, when the information management apparatus 2 generates primaryconversion data from basic data, it causes the storage device 23 tostore the primary conversion data and the original basic data in a statein which they are correlated with each other. Further, when theinformation management apparatus 2 generates secondary conversion datafrom the primary conversion data and transmits the secondary conversiondata to the information center apparatus 4, it causes the storage device23 to store the secondary conversion data, the primary conversion dataas an origin of the secondary conversion data, the basic data that is anorigin of the primary conversion data and a transmitting record in astate in which these are correlated with one another. When thegeneration of the primary conversion data, the generation of thesecondary conversion data and information showing a transmission historyin the information management apparatus 2 are stored, therefore, theflow of personal data can be reliably controlled.

When primary conversion data are transmitted from the informationmanagement apparatus 2 to the information center apparatus 4, theexchange of keys according to the DH technology is implemented, theprimary conversion data are encrypted to generate secondary conversiondata, and the generated secondary conversion data are transmittedthrough the network 3. The security can be also ensured reliably duringthe transmission of information through the network 3. Further, even ifthe primary conversion data should be revealed to a third party, thereis no possibility of personal data being revealed, so that highreliability can be secured.

Further, the information center apparatus 4 stores the primaryconversion data received from the information management apparatus 2 inthe database 5 and can implement the processing of retrieval or the likeby means of the unique code as a key with regard to a plurality ofprimary conversion data stored in the database 5. For example, there canbe implemented the processing of so-called name-identification toextract primary conversion data containing one and the same unique code,whereby the information center apparatus 4 can perform accuratestatistical processing in a state completely free of any possibility ofrevealing personal data.

While the above embodiment explains an example in which Rezept data areused as processing-object data of the information management system 1,the present invention shall not be limited thereto. For example, thepresent invention can be applied to the processing of data with regardto account numbers, account holders' names, deposit balances ortransactions in a banking institution, and can be also applied to theprocessing of data containing names of pupils or students and records oflearning results in an educational institution.

While the above embodiment has a constitution in which the recordingmedium reader 24 is used when the information management apparatus 2acquires a basic data, the present invention shall not be limitedthereto, and there may be employed a constitution in which the basicdata are acquired by inputting from the input device 25. Further, theinformation management apparatus 2 may have a constitution in which arecording medium reading/writing device capable of writing informationto a portable recording medium is provided in place of the recordingmedium reader 24, and the information center apparatus 4 may have aconstitution having a reading device for reading out information fromthe potable recording medium to which information is written by theinformation management apparatus 2. This case does not use the network 3when secondary conversion data are transmitted from the informationmanagement apparatus 2 to the information center apparatus 4, and therecan be instead used a method in which the secondary conversion data arewritten in the portable recording medium with the recording mediumreading/writing device of the information management apparatus 2 and thesecondary conversion data written in the portable recording medium areread out by means of the reading device of the information centerapparatus 4.

The constitution of the above embodiment may be changed or modified insome other points. That is, the above embodiment is at least an exampleand shall not limit the scope of the present invention.

INDUSTRIAL UTILITY

As is clear from the above explanation, the following effects can bebrought about according to the present invention.

(1) According to the first subject matter of the present invention, inthe information management apparatus for processing data containingpersonal data, personal data extraction means extracts the personal datafrom processing-object data, a unique code generation means generates aunique code from the personal data extracted by means of the personaldata extraction means by implementing an operation using a one-wayfunction, and primary conversion data generation means replaces thepersonal data of the processing-object data with the unique code togenerate primary conversion data. It is almost impossible to get at theoriginal personal data from the thus-obtained unique code even byimplementing a reverse operation, and different unique codes aregenerated from personal data of different persons to such an extent thatthe unique codes can be said to be always and necessarily different.Primary conversion data containing unique codes in place of personaldata therefore have usefulness equivalent to that of data containingpersonal data and can be used for statistical processing. And, when datacontaining personal data are processed, the use of these primaryconversion data can reliably keep the personal data secret and protectthem without impairing the usefulness of the information. And, accordingto the first subject matter of the present invention, the above primaryconversion data can be efficiently generated.

(2) According to the second subject matter of the present invention, inthe information management apparatus of the first subject matter of thepresent invention, the primary conversion data and the processing-objectdata as an origin of the primary conversion data are stored in storagemeans in a state in which they are correlated with each other. In theinformation management apparatus, therefore, the processing-object datacontaining personal data and the primary conversion data containing theunique code can be stored.

(3) According to the third subject matter of the present invention, inthe information management apparatus of the first subject matter of thepresent invention, the unique code generation means generates areference character string from the personal data, which is extracted bymeans of the personal data extraction means, and operation meansoperates a predetermined operation-object character string on the basisof a one-way function by means of the reference character string as akey to generate a unique code. Therefore, when reference characterstrings differ from one another, that is, when personal data ofdifferent persons are used, there are generated unique codes that havesuch differences that they can be said to be always different. That is,the possibility of identical unique codes being generated from personaldata of different persons is negligible, and the usefulness of theprimary conversion data can be maintained at a high level.

(4) According to the fourth subject matter of the present invention, inthe information management apparatus of the third subject matter of thepresent invention, the operation means determines the operation digitnumber on the basis of the reference character string by means of thedigit number determination means, generates the operation-objectcharacter string having an operation digit number by means of theoperation-object character string generation means, and operates theoperation-object character string on the basis of the one-way functionby means of the reference character string as a key by operationimplementation means. Therefore, when reference character stringsdiffer, remarkably different unique codes are generated, so that thepossibility of identical unique codes from different personal data comesto be far lower and that the usefulness of the primary conversion datacan be maintained at far higher level.

(5) According to the fifth subject matter of the present invention, inthe information management apparatus of the first subject matter of thepresent invention, the secondary conversion data generation meansencrypts the primary conversion data to generate the secondaryconversion data, the output means outputs the second conversion data toother apparatus, and when the output means outputs the secondaryconversion data, the outputted secondary conversion data, the primaryconversion data as an origin of the secondary conversion data, theprocessing-object data as an origin of the primary conversion data andthe records of output from the output means are stored in the storagemeans in a state in which they are correlated with one another. In theinformation management apparatus, therefore, the processing-object datacontaining personal data, the primary conversion data containing theunique code, the secondary conversion data and the records oftransmitting the secondary conversion data can be reliably stored.

(6) According to the sixth subject matter of the present invention, inthe information management system wherein the information managementapparatus for processing data containing personal data and theinformation center apparatus for managing data processed by theinformation management apparatus are connected via a communication line,the information management apparatus extracts personal data fromprocessing-object data by means of the personal data extraction means,performs an operation using a one-way function on the basis of thepersonal data extracted by the personal data extraction means by meansof the unique code generation means to generate a unique code, replacesthe personal data of the processing-object data with the unique code bymeans of the primary conversion data generation means to generateprimary conversion data, encrypts the primary conversion data by meansof the secondary conversion data generation means to generate secondaryconversion data, and outputs the generated secondary conversion data tothe information management apparatus by means of the output meansthrough the communication line, and when the output means outputs thesecondary conversion data, the information management apparatus storesthe outputted secondary conversion data, the primary conversion data asan origin of the secondary conversion data, the processing-object dataas an origin of the primary conversion data and records of the outputfrom the output means in storage means in a state in which they arecorrelated with one another. Further, the information center apparatusreceives the secondary conversion data transmitted from the informationmanagement apparatus by receiving means and decrypts the secondaryconversion data, which are received by the receiving means, by means ofdecryption means to generate the primary conversion data. Therefore, inaddition to the effect achieved by the first subject matter of thepresent invention, the primary conversion data are encrypted and thentransmitted from the information management apparatus to the informationcenter apparatus, which can ensure reliability in security. Further, theprimary conversion data alone are transmitted to the information centerapparatus that is another apparatus different from the informationmanagement apparatus, so that there can be removed the possibility ofpersonal data being revealed during the transmission of information datato the information center apparatus and during the course of processingof the information in the information center apparatus.

In the seventh subject matter of the present invention, the informationcenter apparatus in the information management system of the sixthsubject matter of the present invention further has data storage meansfor storing the primary conversion data generated by the decryptionmeans, and processes data stored in the data storage means by means ofthe unique code as a key. Therefore, primary conversion data containingno personal data are stored in the data storage means and variousstatistical processing operations can be performed using the datastorage means. There can be therefore carried out accurate dataprocessing equivalent to that in the case of using data containingpersonal data while reliably protecting the personal data.

(8) In the eighth subject matter of the present invention, theinformation center apparatus in the information management system of theseventh subject matter of the present invention detects data containingidentical unique codes from a plurality of data containing unique codesstored in the data storage means. That is, like the processing ofdetection in a plurality of data containing personal data by means ofpersonal data as a key, retrieval is performed with regard to aplurality of primary conversion data containing no personal data bymeans of a unique code as a key. Therefore, data can be processedwithout using personal data in a state in which data of one person aredistinguishable from data of another person.

(9) According to the ninth subject matter of the present invention,there can be obtained the same effect as that of the above first subjectmatter of the present invention.

(10) According to the tenth subject matter of the present invention,there can be obtained the same effect as that of the above secondsubject matter of the present invention.

(11) According to the eleventh subject matter of the present invention,there can be obtained the same effect as that of the third subjectmatter of the present invention.

(12) According to the twelfth subject matter of the present invention,there can be obtained the same effect as that of the above fourthsubject matter of the present invention.

(13) According to the thirteenth subject matter of the presentinvention, there can be obtained the same effect as that of the abovefifth subject matter of the present invention.

1. An information management apparatus for processing data containingpersonal data comprising: personal data extraction means for extractingpersonal data from processing-object data; unique code generation meansfor performing an operation using one-way function on the basis ofpersonal data extracted by said personal data extraction means, togenerate a unique code; and primary conversion data generation means forreplacing personal data of said processing-object data with said uniquecode, to generate primary conversion data.
 2. An information managementapparatus as recited in claim 1, which further comprises storage meansfor storing said primary conversion data and said processing-object dataon which said primary conversion data are based in a state in whichthese data are correlated with each other.
 3. An information managementapparatus as recited in claim 1, wherein said unique code generationmeans comprises a reference character string generation means forgenerating a reference character string from personal data extracted bysaid personal data extraction means, and operation means for operating apredetermined processing-object character string by means of saidone-way function using said reference character string as a key, togenerate said unique code.
 4. An information management apparatus asrecited in claim 3, wherein said operation means comprises digit numberdetermination means for determining an operation digit number on thebasis of said reference character string, processing-object characterstring generation means for generating an processing-object characterstring having said operation digit number and operation execution meansfor operating said processing-object character string by means of saidone-way function using said reference character string as a key.
 5. Aninformation management apparatus as recited in claim 1, which furthercomprises a secondary conversion data generation means for encryptingsaid primary conversion data to generate secondary conversion data,output means for outputting said secondary conversion data to otherapparatus, and storage means for storing said outputted secondaryconversion data, said primary conversion data on which said secondaryconversion data are based, said processing-object data on which saidprimary conversion data are based and records of output from said outputmeans in a state in which these data and records are correlated with oneanother when said secondary conversion data are outputted from saidoutput means.
 6. An information management system which comprises aninformation management apparatus for processing data containing personaldata and an information center apparatus for managing data processedwith said information management apparatus, the information managementapparatus and the information center apparatus being connected to eachother through a communication line; said information managementapparatus comprising: personal data extraction means for extractingpersonal data from processing-object data; unique code generation meansfor performing an operation using one-way function on the basis ofpersonal data extracted by said personal data extraction means togenerate a unique code; primary conversion data generation means forreplacing the personal data of said processing-object data with saidunique code to generate primary conversion data; secondary conversiondata generation means for encrypting said primary conversion data togenerate secondary conversion data; output means for outputting saidsecondary conversion data to said information management apparatusthrough said communication line; and storage means for storing, whensaid secondary conversion data are outputted from said output means,said outputted secondary conversion data, said primary conversion dataas an original of said secondary conversion data, said processing-objectdata as an original of said primary conversion data and records of theoutput made by said output means, in a state in which they arecorrelated with one another; said information center apparatuscomprising: receiving means for receiving secondary conversion datatransmitted from said information management apparatus; and decryptionmeans for decrypting secondary conversion data received by saidreceiving means to generate said primary conversion data.
 7. Aninformation management system as recited in claim 6, wherein saidinformation center apparatus further comprises data storage means forstoring primary conversion data generated by said decryption means andprocesses data stored in said data storage means by means of said uniquecode as a key.
 8. An information management system as recited in claim7, wherein said information center apparatus detects data containing thesame unique code from a plurality of data containing said unique codesstored in said data storage means.
 9. A program for causing aninformation management computer for processing data containing personaldata to execute processing comprising the steps of: extracting personaldata from processing-object data by means of personal data extractionmeans, performing an operation using a one-way function on the basis ofthe personal data extracted by said personal data extraction means bymeans of unique code generation means to generate a unique code, andreplacing personal data of said processing-object data with said uniquecode by means of primary conversion data generation means to generateprimary conversion data.
 10. The program of claim 9, which is forcausing said information management computer to execute the processingwhich further comprises the step of storing said primary conversion dataand said processing-object data as an origin of said primary conversiondata in storage means in a state in which they are correlated with eachother.
 11. The program of claim 9, wherein the step of generating theunique code by said unique code generation means comprises the steps of:generating a reference character string from personal data, which areextracted by said personal data extraction means, by means of areference character string generation means; and operating apredetermined operation-object character string by means of said one-wayfunction using said reference character string as a key to generate saidunique code.
 12. The program of claim 11, wherein the step of generatingsaid unique code with said operation means comprises the steps of:determining an operation digit number on the basis of said referencecharacter string by means of digit number determination means;generating an operation-object character string having said operationdigit number by means of operation-object character string generationmeans; and operating said operation-object character string by means ofsaid one-way function by operation execution means using said referencecharacter string as a key.
 13. The program of claim 9, which is forcausing said information management computer to execute the processingwhich further comprises the steps of: encrypting said primary conversiondata by means of secondary conversion data generation means to generatesecondary conversion data; outputting said secondary conversion data toother apparatus by output means; and causing storage means, when saidsecondary conversion data are outputted from said output means, to storesaid outputted secondary conversion data, said primary conversion dataas an origin of said secondary conversion data, said processing-objectdata as an origin of said primary conversion data and records of theoutput from said output means, in a state in which they are correlatedwith one another.